Minutes of the meeting of the Audit and Compliance Committee of the Board of Directors of the Cook County 
Health and Hospitals System held Tuesday, October 13, 2009 at the hour of 9:00 A.M., recessed and reconvened 
on Thursday, October 15, 2009 at the hour of 9:30 A.M., at John H. Stroger, Jr. Hospital of Cook County, 1901 W. 
Harrison Street, in the fifth floor conference room, Chicago, Illinois. 


I. Attendance/Call to Order 


Chairman Munoz called the meeting to order at 9:00 A.M. 

Present: Chairman Luis Munoz, MD, MPH and Directors Benn Greenspan, PhD, MPH, FACHE and Heather 
O’Donnell, JD, LLM (3) 

Absent: None 


Additional attendees and/or presenters were: 


Michael Ayres 
Cathy Bodnar 
Patrick T. Driscoll, Jr. 
Christina Eng-Tran 
William T. Foley 


Tracy Guidry 
Tim Heinrich 
Dorothy Loving 
Pat Kitchen 
Elizabeth Reidy 


Deborah Santana 
Anthony J. Tedeschi, MD, 
MPH, MBA 


II. Public Speakers 

Chairman Munoz asked the Secretary to call upon the registered speakers. 
The Secretary responded that there were none. 


III. Report from System Corporate Compliance Officer 

Cathy Bodner, System Corporate Compliance Officer, presented a report (Attachment #1) that included 
information on the following: elements of a compliance program, proposed compliance mission and vision 
statements, and planned compliance activities. Additionally, she presented information on the internal and 
external resources she would need in FY2010 to carry out these duties. 

After the presentation, Director Greenspan requested that they consider increasing the priority of the human 
resources audit, and accelerate to a short-term project the disclosure of conflict of interests. 


IV. Recommendations, Discussion/Information Items 

A. Minutes of the Audit and Compliance Committee Meeting, July 28, 2009 

Director O’Donnell, seconded by Director Greenspan, moved to accept the minutes of the Audit and 
Compliance Committee Meeting of July 28, 2009. THE MOTION CARRIED UNANIMOUSLY. 

B. Update from ad hoc Corporate Compliance Work Group 

Chairman Munoz stated that Dr. Carolyn Lopez was unable to attend the meeting, so there would not be an 
update for this meeting. 
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IV. Recommendations, Discussion/Information Items (continued) 

C. Update on status of the selection of Internal Auditor 

Michael Ayres, System Chief Financial Officer, and William Foley, System Chief Executive Officer, 
provided an update on the status of the selection of Internal Auditor. The recruiter for that position, David 
Gomez and Associates, has three candidates to present for interviews with the Committee. 

The Committee determined that after the other items on the agenda were exhausted, the meeting should 
recess and reconvene on Thursday, October 15, 2009 at 9:30 A.M., at John H. Stroger, Jr. Hospital of Cook 
County, 1901 W. Harrison Street, in the fifth floor conference room, Chicago, Illinois, for the purpose of 
continuing the discussion on the subject and conducting interviews with the three candidates for the position 
of internal auditor. 

D. Update on status of internal audits 

Pat Kitchen and Christina Eng-Tran, of RSM McGladrey, presented an update on the status of the internal 
audits (Attachment #2). 

With regard to the information technology audit, Chairman Munoz inquired whether their team had begun 
the assessment. Mr. Kitchen responded that the initial kick-off meetings are being planned next month; the 
on-site field work will likely begin in November. Director Greenspan inquired whether the focus would be 
on data security, facilities security, or both. Mr. Kitchen responded that the focus will be on data security; 
to the extent that there are physical security constraints around the information systems, they will 
contemplate that as well. 

Director O’Donnell inquired whether the payroll audit was only for John H. Stroger, Jr. Hospital of Cook 
County. Mr. Kitchen responded that initially they will roll the audit out for Stroger Hospital, but will then 
look at the other facilities as the risks evolve. 

E. Presentation of the web-based audit reporting tool (Auditor Assistant) 

Ms. Eng-Tran provided a presentation on the web-based audit reporting tool, Auditor Assistant (Attachment 
#3). 

Chairman Munoz clarified that this tool would be maintained by RSM McGladrey, so that those who have 
access to it can be provided with the most up-to-date information to manage the internal audit functions and 
to review the activities involved. 

Mr. Kitchen stated that this tool provides the design, as well as the operating effect. He provided an 
example in which a deficiency is identified. They would work with the individual responsible for that area 
to identify mitigating controls from a design standpoint. As a result, a policy or procedure will be put in 
place to address the issue. The next step, after the policy or procedure has been implemented, they can go 
back to test the operating effectiveness of the control. 

Director Greenspan asked, using this example, how long they would wait to go back and audit the utility of 
the control. Mr. Kitchen stated that, depending on the area and the risk associated with it, they would 
typically go back after six months to test the effectiveness. Based upon Mr. Kitchen’s response, Director 
Greenspan asked if they should not expect to see change of the risk assessments for at least six months after 
their field work begins. Mr. Kitchen responded affirmatively, adding that a six to twelve month time frame 
would be a reasonable expectation to complete the audits, take corrective action, and reassess based on 
subsequent testing. 
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IV. Recommendations, Discussion/Information Items (continued) 

F. Update from Deloitte & Touche on 2008 Audit 

Tracy Guidry, of Deloitte & Touche, presented an update on the 2008 Audit. She stated that back in July, 
the Committee was given an update and was presented draft financial statements and a draft management 
letter for their review. At that time, Deloitte & Touche mentioned that they were still working on the 
County’s audit. She stated that they are still working on the County’s audit. They did not receive the trial 
balances from the County for their particular funds until towards the end of September. At this point, they 
are working diligently to audit those numbers. 

Chairman Munoz clarified that with respect to the System, all information is up to date. Ms. Guidry 
responded affirmatively; however, the only issues outstanding with regard to the System are for those areas 
that inter-relate with the County (construction in progress, for example). 

With regard to timelines, Ms. Guidry stated that they are attempting to finish the majority of their field work 
by the end of October, possibly stretching into early November. After that point, they will work on 
reporting. If everything goes according to plan, they hope to issue in mid-November. 


V. Action Items 

A. Any items listed under Section IV 


Chairman Munoz declared the meeting recessed and stated that the meeting would reconvene on Thursday, 
October 15, 2009 at 9:30 A.M., at John H. Stroger, Jr. Hospital of Cook County, 1901 W. Harrison Street, in 
the fifth floor conference room, Chicago, Illinois. 


Thursday, October 15, 2009 


The Committee reconvened at approximately 9:45 A.M. and resumed their discussion of Item IV(C). 

Present: Chairman Luis Munoz, MD, MPH and Director Benn Greenspan, PhD, MPH, FACHE (2) 

Absent: Director Heather O’Donnell, JD, LLM (1) 

Director Greenspan, seconded by Chairman Munoz, moved to recess the regular session and convene into closed 
session, pursuant to the following exception to the Illinois Open Meetings Act: 5 ILCS 120/2(c)(l), which permits 
closed meetings for consideration of “the appointment, employment, compensation, discipline, performance, or 
dismissal of specific employees of the public body or legal counsel for the public body, including hearing 
testimony on a complaint lodged against an employee of the public body or against legal counsel for the public 
body to determine its validity.” THE MOTION CARRIED UNANIMOUSLY. 

Chairman Munoz declared that the closed session was adjourned. The Committee reconvened into open session. 
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VI. Adjourn 

As the agenda was exhausted, Chairman Munoz declared that the meeting was adjourned. 


Respectfully submitted, 

Audit and Compliance Committee of the 

Board of Directors of the 

Cook County Health and Hospitals System 


xxxxxxxxxxxxxxxxxxxxxx 

Luis Munoz, MD, MPH, Chairman 


Attest: 


XXXXXXXXXXXXXXXXXXXXXX 
Deborah Santana, Secretary 
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Corporate Compliance Report 


Presented To 

Cook County Health & Hospitals System 
Audit & Compliance Committee 

Cathy Bodnar, MS, RN, CHC 
Chief Compliance Officer 
October 13, 2009 
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Elements of a 
Compliance Program 


There are seven required elements 1 : 

□ Setting standards through written policies and procedures 

□ Communicating the standards through regular education and 
training programs 

□ Enforcing standards and disciplining actions that are non-compliant 

□ Providing a mechanism for reporting potential violations 

□ Responding to and investigating the concerns raised 

□ Utilizing monitoring and auditing activities to decrease problems 

□ Maintaining an organizational structure to sustain and enhance the 
program 

Plus one additional implied element: 

□ Identifying and assessing business and reputational risks 

1 OIG Compliance Program Guidance for Hospitals, Federal Register/Vol. 63, 
No. 35/Monday, February 23, 19g§ e7of26 



Proposed 

Compliance Mission Statement 


The Corporate Compliance Program supports the mission, 
vision, and core goals of Cook County Health & Hospitals 
System by 

□ Developing standards 

□ Increasing awareness 

□ Promoting honest and ethical behavior 

Through education, awareness, and shared accountability 
that promotes compliance with applicable laws, regulations, 
and system policies. 
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Proposed 

Compliance Vision Statement 


The Corporate Compliance will be a resource to everyone 
affiliated 2 with Cook County Health & Hospitals System. 


,w 



s 


2 For the purposes of this statement, “affiliated” is defined as all 
employees, medical staff, house staff, Board members, 
volunteers, students, consultants, agency personnel, and 
vendors. 
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I Planned Q4 Activity 

□ Assess each compliance program element 

Status: Anticipated assessment completion date - 11/30/2009 

□ Engage audit & compliance committee 

Status: Formally initiated today —> ongoing 

□ Charter an internal compliance committee 
Status: In process 

□ Redefine the role of the ad hoc committee 

I Status: In process 

□ Develop FY10 work plan 

Status: In process 

□ Establish and report compliance metrics 

Status: To be determined 
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Assessment 

Resources 


□ Authoritative source documents 

■ Office of Inspector General (OIG) Compliance Program 
Guidelines 

■ Federal Sentencing Guidelines 

□ External resources 

■ Industry publication and conferences 

■ Reports on the approach to key areas from other 
institutions 

■ Dialog with peers 

□ Discussions with CCHHS staff and affiliates 
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Proposed FY10 Team for the 
System Compliance Program 

□ Chief Compliance Officer 

□ Privacy Officer 

■ Subspecialty: Education 

□ Inpatient/ Facility Focused 

■ Subspecialty: Research 

□ Outpatient/ Professionally Focused 

■ Subspecialty: Grants 

□ Compliance Coordinator 
With the potential to add 

□ Another area of focus not yet identified through 
discovery and/ or strategic planning 
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Proposed 

Purchased Services 


■ □ External Compliance Consultants 
| ■ For guidance related to issues & project management 

□ Compliance Hotline (Voice & Web) 

□ Tracking Tool 

I a Reactive compliance issues 
■ Proactive compliance projects 

□ Code of Conduct Development & Rollout 
□ Web-based Compliance Education 

I Stretch Project 

□ Conflict of Interest Disclosure Survey 

■ Development & Rollout 
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Audit 

Audit Timeline 

2009 

August 

September 

October 

November 

December 

2010 

January 

February 

March 

April 

May 

June 

July 

August 

September 

October 

November 

Grants 


Planning/Fact Finding 

Fieldwork 











HR/Payroll 

Planning 






Fieldwork 









IT - System Access and Security 


Planning 

Fieldwork 













Contract Management 



Planning 

Fieldwork 












Procurement 




Planning 

Fieldwork 










Third Party Settlement Accounts 





Planning 

Fieldwork 









Corporate Compliance 








Planning 

Fieldwork 






Revenue 









Planning 

Fieldwork 





IT - System Integration 











Planning 

Fieldwork 





Financial Statement Preparation 












Planning 

Fieldwork 



General Note: _ 

The Planning Phase consists of all planning activities that take place prior to on-site visit. Activities include, but are not limited to reviewing the applicable sections of 
the 2009 CCHHS Risk Assessment, relevant committee meeting minutes in the CCHHS website and any background information we have on file; creating a process 
understanding questionnaire, creating a document requests list; identifying risks we believe exist/applicable to the area; coordinating the timing for the audit and 
have the interviews lined up; reviewing the documents/information provided by the auditee in response to the information request list, etc. 

The Fieldwork Phase consists of conducting process walkthroughs, obtaining detailed understanding of the process/area, documenting our understanding, fine-tuning 
risks and identifying controls in place to mitigate the risks identified, performing control gap analysis, developing and executing the audit program with specific focus 
on testing key controls, documenting test results and reporting audit results to executive management and audit committee, etc. 


Excerpt from the 2009 CCHHS Risk Assessment _ 

Internal Audit Priorities 

In order to address the higher risk activities and other areas of concern identified during the risk assessment process, the following internal audit activities should occur in the near future. 
These audits are not in any specific order, but RSM McGladrey recommends that these projects be the first 10 internal audits completed by CCHHS: 

Grants audit with focus on the Hektoen Institute entity. 

• Human Resources and Payroll audit for Stroger Hospital. 

Audit of Third Party Settlement Accounts. 

Revenue audit of Stroger Hospital with emphasis on Medicare/Medicaid revenue. 

• IT audit of System Access and Security. 

• IT audit of System Integration. 

• Contracts Management audit for all of CCHHS. 

Procurement audit for all of CCHHS with focus on Inventory. 

Corporate Compliance audit with emphasis Medical Coding. 

• Audit of monthly Financial Statement Preparation process. 

These internal audits can be performed in any order that the Audit Committee deems proper, or can be changed at any time the Audit Committee receives additional information on risks 
to CCHHS. 
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RSM McGladrey 


Auditor Assistant ™ Overview 


© 2009 RSM McGladrey Inc. 


RSM MoGiayey Inc. is a member firm of RSM International - an affiliation of separate and independent legal entities. 








Auditor Assistant Information Flow 


RSM McGladrey 


Management 

Center 

Define Audit Universe (Auditable 
Entity) 

Perform Annual Risk Assessments 
Define Annual Audit Plan 
Define Projects and Budget 
Define Background/Scope 



Project Startup: 

Audit Definition, Risk 
Assessment and 
Background copied to 
Fieldwork Center. 

System will also import 
selected libraries and 
previous issues be 
tracked in the Issue 
Mgmt Center 




Project Close: 

Audit Definition, Risk 
Assessment, Background, 
and Audit Report are 
copied back to 
Management Center. Last 
audit date and rating 
updated on the Auditable 
Entity. 

Findings are collected in the 
Issue Mgmt Center for 
analysis and tracking. 




Fieldwork 

Centers 

All engagement workpapers up to 
and including the audit report are 
created in the Fieldwork Center 



Deliverables: 

Planning Memo 
Final Audit Report 
IT Final Audit Report 
Risk Control Matrix 
Exit Observations Report 




Deliverables: 

Entity Level Risk Assessment Report 
Annual Audit Plan 
Account Materiality Report 
^ IT Risk Assessment Report 
Audit Committee Report 
Report of Control Adequacy 
Report of Control Effectiveness 
Quarterly Report _ 


Time/Expense Center 

Generate reports by project, reporting 
period, manager, auditor. Auditors 
enter time/expenses against projects 
and tasks for which totals are 
summarized on the Audit Definition 


► 


> 


External Document 
Management Center 

Share reports with users to manage 
version history and approvals. 
Restricted web access for business 
users via the Intranet 


► 


Issue Management 
Center 

Generate reports by Auditor, 
Responsible Manager, Status, Risk/ 
COSO Category. Restricted web 
access for Business users to update 
issue status via the Intranet 


Profile Manager 

Restricted Access: Reconfigure 
key aspects of Auditor Assistant by 
completing system profile forms and 
keyword lists. 


Employee Center 

Track rotations, promotions, 
education, demographics in the 
Employee Center. 


Documentation/Help 

Center 

Comprehensive user documentation to 
train and understand the software from 
the end-user perspective. 


Workprogram Library 

Storage facility for standard programs 
that may be imported into audits 
during creation or manually during 
project scoping 


Template Library 

Centralized repository for reports/ 
deliverable templates used to create 
manual and automated reports in 
audit engagements 
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Auditor Assistant ™ 


RSM McGladrey 


- Engagement planning 


RSM McGladrey 


A Auditor Assistant 

J ^ m ‘ Management Center 

1 Universe "V Risk Factors ^ Projects 

^Project Mgmt || Administration ( Views: ▼[ IS) 

T” Create Actions 


Company Information: TransAtlantic Steel, Inc. 

Company Executive Summary Information: TransAtlantic Steel, Inc. (2006) 
Account Materiality: TransAtlantic Steel, Inc. (2006) 

Account Materiality Report: TransAtlantic Steel, Inc. (2006) 

Entity Level Risk Assessment: TransAtlantic Steel, Inc. (2006fj^ 

Report of Control Adequacy: TransAtlantic Steel, Inc. (2006) 

Report of Control Effectiveness: TransAtlantic Steel, Inc. (201 
Quarterly Report: TransAtlantic Steel, Inc. (2006 - 1st Quarter 
Status Report: TransAtlantic Steel, Inc. (February 20,2006 - 
Annual Audit Plan: TransAtlantic Steel, Inc. (2006) 


▼ TransAtlantic Steel, Inc. 

<p O MRa 

O MRa 
<p © MRa 

MRa 

<p © MRa 

(PtfO MRa 
<£>3/0 MRa 
<p © MRa 

<p © MRa 

<p © MRa 

▼2006 

► Accounting, Financial Reporting, Accruals 

▼ A/P, Expense Reporting, Prepaid Expenses, Leases 

© © MRa Auditable E ntity: A/P, E xpense R eporting. Prepaid E xpenses 
© MRa Risk Assessment of A/P, Expense Reporting, Prepaid Expen 

▼ Cash Management, Investments, PP&E 

© © MRa Auditable E ntity: Cash M anagement, I nvestments, PP&E 

© MRa R isk Assessment of Cash M anagement, I nvestments, PP8£ 

▼ Example 

O MRa Auditable Entity: Example 

▼ Human Resources, Payroll, Safety, Security 

© MRa Auditable Entity: Human Resources, Payroll, Safety, Security 


MRa Risk Assessment of Human Resources. Payroll, Safety, Seci. 


RSM McGladrey 

rt i 

| Risk Factors y Projects Project Mgmt | j A 




Total ExtnIMkt/ 

A Reptn ^ 


g TransAtlantic Steel. Inc. 

*■ 2006 

Accounting, Financial 
Reporting, Accruals 
A/P, Expense Reporting, 
Prepaid Expenses, Leases 
Cash Management, 
Investments, PP&E 
Human Resources, Payroll, 
Safety, Security 
Information Systems 
Inventory, Warehousing 
ISO Certification & Standards 
Manufacturing Engineering 




Understand your business and assess 
the overall risk in order to generate an 
annual audit plan. 

Risk assessment based on an 
analytical review of management 
reporting and answers to 
questionnaires. 

The steps in this phase consist of the 
following: 

Establish communication 
protocols with management, 
including engagement logistics 
and information requests 
Analyze risks in the business, 
financial position and growth 
expectations, strategies and key 
objectives, and key controls 
Assess and rate business risk and 
control risk, resulting in a “heat 
map” 

Understand, the “tone at the top” 
and the control environment, 
monitoring and risk assessment 
activities and the effect of entity¬ 
wide controls on the execution of 
transactional activity 

Determine and document the structure 
of the organization and who is 
responsible for the management of 
major risks in each area, as a 
foundation for creating the audit 
universe 
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Auditor Assistant ™ - Project scoping 


RSM McGladrey 


Auditor Assistant 

L Fieldwork Center 


Main Fieldwork / Reports ^Administration | 

T" Create Actions 


Views: |MainV 


▼ Revenue Cycle Review: 03/01/2006 
w A. Administiation 


© MRas Audit Definition: Revenue Cycle Review: [03/01 /2006] 
© MRas Account Materiality: TransAtlantic Steel, Inc. (2006) 

© MRas Background/Scope 


—To MRas Planning Memo 

© MRas Client Request Letter 


© MRas Risk Assessment 

► 2. Reporting 

► 3. Wrap up 

► 4. Previous Issues 
I. Customer and Order Processing 

© MRas B.O Overview of B. Custorr 


© MRas 
O MRas 
O MRas 
m© MRas 


Process Flowchart: 
Process Narrative: P 
B.100 Risk: Customer Mar 
B.200 Control: Access 
approval by Credit manage 
customers who have incon 
B.300 Test: Review 


© MRas 
© MRas 
m© MRas 


© MRas 
»5© MRas 


© MRas 
I© MRas 


B.310 Test: Review 
B.110 Risk: PO or legal or 
B.200 Control: Access 
approval by Credit managr 
customers who have incoi 
B.300 Test: Review 


B.210 Control: All order: 
unprocessed orders can bi 
fields. 

B.211 Test: Review 
B.300 Test: Review 

B.310 Test: Review 


Auditor Assistant 


Summary | Control | Cross-References | Approvals | History | 


Result 


Control Design Evaluation: 2. Ineffective-issue Exit Observation 


Control Description: 


Control Risk Factors: 




A. Monitoring, B. Information & Communicat 


Application Control Type: 

d 


COSO Component 


ffi Preventative 
O Detective 


r Application Security V Processing 
p Input P Interface 

fi Output 


Auditor Assistant 


RSM McGladrey 


Current Editor: Mike Rasmussen 


Summary | Risk | Cross-References | Approvals | History | 


Inherent Risk Factors: 


Related Material Accounts: 


C. Operational, E. Strategic, F. Technology/Systems, G. People/Culture, H. Fraud 


O 1 High 
® 2. Moder; 
O 3. Low 


B. Risk Assessment 


C. Valuation/Allocation 


O 1. High 
® 2. Moderate 
O 3. Low 


Accounts Payable Trade 
Accounts Receivable - Net 
Cash 


Control Type Frequency Detect Frai 


1 O MRas B.200 Control: Access to the customer master file is limited, new customers and significant changes Preventative Monthly 
in customers require approval by Credit management, and reporting is automatically generated by 
the customer file application to highlight those customers who have incomplete information. 

Customer files are reviewed for accuracy on a periodic basis. 


O System 
O Manual 
® Combined 


O Continuous 
O Daily 
O Weekly 
® Monthly 
O Quarterly 
O Annual 
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Project scoping is the first phase of 
the methodology focused on the 
individual auditable entities. 

Annual audit plan lists the various 
auditable entities within the 
organization whose risk was deemed 
to be at a level that requires an audit. 

The major activities of project scoping 
are: 

Determine the various sub¬ 
processes within the auditable 
entity that contain the greatest risk 
Develop an initial work plan for 
addressing each major risk area 
(listing key risks and controls) 
Create a schedule and detailed 
budget for the engagement, and 
communicate a schedule of items 
needed 

Develop the project team to 
perform the various tasks 

The major deliverables are an initial 
request letter, a detailed work plan or 
audit program, and a planning memo 
with estimated hours for each 
business process. 







































































RSM McGladrey 


Auditor Assistant ™ - Assessing control adequacy 



Determine if the design of the control 
activities within the various business 
functions is adequate to mitigate all 
significant risks to the business. 

Document understanding of 
individual business processes, 
functions and departments 
deemed in scope, based upon the 
risk assessment 
Develop documentation that 
highlights prevalent risks, their 
impact to the overall control 
structure, and the control activities 
in place to mitigate the risks 
Identify and categorize controls 
(key and secondary) to focus on 
the key controls that will be tested 
and relied upon in future phases. 
Perform walkthroughs of the 
various control activities to 
validate they are performed as 
described. 

Develop recommendations for 
remediation of any design gaps. 
Populate the risk and control 
matrices that describe the 
inherent risks and key controls 
and other information related to 
the controls (these matrices will 
allow for test programs to be 
written appropriate controls). 
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RSM McGladrey 


Auditor Assistant ™ - Assessing control effectiveness 


r est 


Summary ] Test ] Cross-References ] Approval ] Histoiy ] 


0 <§ 1. In Progress 
O 2. Deferred Test 
O 3. No exceptions noted 
O 4. Exception(s) noted-pass further review 
O 5. Exception(s) noted-issue Exit Observation 
O 6. Exception(s) noted-issue Reportable Observation 


Associated IT Information Assets 


No IT Assets are listed as part of this audit. 


Finding/Observation 


Associated Risks 


This test will be associated with the controls pa 


Summaiy | Report Observation ] Follow-up | Cross-References | Approval | Histoiy | 

The infosmation below is used tor follow up and lepotlmg purposes and does not appear when the form is printed. 


ftwttabte Entity Manage! 


Associated Controls 
Add Control Disassociate Control 


This test will be associated with the parent c< 


0 r JohnJones| iJ 


Follow up Auditor (In-Charge): 


® Internal Audit Report 
C External Auditors 
O Regulators 
G Independent Review 
O Entity Level Risk Assessment 


Test Steps 


Test Scope 


Test Sampling 


Test Description 


Detailed Findings 


J Inherent Risk Factors: 


r C. Operational, E Strategic, F 
Technology/Systems. G People/Culture, H Fraud 


.d 


Control Risk Factors: 


Current Status: 


<® Open 
O Closed 


Implementation Dale: 


Current Editor: Tresha Ambrosy 


_| BTresha AmbrosyfOavenport/MP/RSMi 

O Yes 
9 No 


A Monitoring, B Information & Communications, E Control 
Environment 



The primary objective is to assess the 
effectiveness of the control activities in 
place to mitigate significant business 
risks. Specific testing must be 
performed to determine whether which 
controls worked as intended, and what 
control gaps exist. 

The process steps for this phase of 
the methodology are: 

Create test plans 
Request transaction documents, 
data or evidence from client 
Execute test, preserving 
appropriate documentation as 
required. 

Analyze exceptions and 
determine findings and 
conclusions 

Complete Risk and Control matrix. 
Prior to completing fieldwork, 
discuss initial findings and 
potential recommendations with 
client staff. 
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RSM McGladrey 


Auditor Assistant ™ - Reporting 


RSM McGladrey 

_71 1 


a 



' Information Systems Review: 03/11/2006 

▼ Audit Definition 

D O MRa; Audit Definition: Information Systems Review: [03/11 /2006] 

▼ Executive Summary 

O MRas Executive Summary 

▼ Finding/Observation 

1 V © MRasB.F.210.1 Finding/Observation: The organization maintains 

an appropriate strategic technology plan including capacity 
planning and availability requirements to meet the needs of 
the business units and to adequately support financial 
reporting. 

1 V © MRasB.F .310.1 Finding/Observation: Review components of the 

IT strategic plan 

2 <✓ © MRas B.F .210.1 Finding/Observation: The organization maintains 

an appropriate strategic technology plan including capacity 
planning and availability requirements to meet the needs of 
the business units and to adequately support financial 
reporting. 

2 © MRasC.F .210.1 Finding/Observation: IT management has 

implemented a division of roles and responsibilities 
(segregation of duties) that reasonably prevents a single 
individual from subverting a critical process that may impact 
financial reporting or create an opportunity for fraud. 

▼ IT Final Report (WORD) 

© MRas IT Final Report (WORD) [03/11 /2006 08:06 PM] 


▼ IT Draft Report (WORD) 


© MRas 
O MRas 


IT Draft Report (WORD) [03/11/2006 03:42 PM] 
IT Draft Report (WORD) [03/11/2006 04:04 PM] 
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The Final Report encompasses the 
executive summary, observations 
summary, detailed observations and 
management responses. The 
purpose of the Internal Audit Report is 
twofold: 

Communicate Internal Audit 
observations and 
recommendations in a systematic 
and timely manner. 

Ensure that all issues are 
resolved by auditable entity 
management without significant 
financial loss or embarrassment. 

The Risk Control Matrix is a key 
document that contains all of the 
information the team has assembled 
on risks and controls in each process, 
as well as any changes in controls the 
team is recommending including: 

Primary risks the project team 
identifies, 

Key controls used by the client to 
manage those risks, 

Significance of the control (e.g., 
key or secondary) 

Type of control (e.g., automated, 
combined, or manual) 

Process owner 

Frequency of control (e.g., daily, 
weekly, monthly, quarterly, 
annual) 

Assertions addressed by control 
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Auditor Assistant ™ - Issue Management 


jiadrey w _ 

To change your uiew, roll your mouse 


By Organization 'k 

By Audit 

ouer a uiew to display the next category 
of uiews. Then click the desired uiew. 

A 

By Management^^^ 




^ Auditor Assistant 

1 Issue Management Center Web 




View: 01. All a. By Organizatiojr^ 


Imp Date Ref. 




!▼ Central Plains 

▼ Kansas City |FI> 
▼ Open 
▼ Shower 


Describes which uiew is 
currently being displayed. 
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Auditor Assistant 

1 Issue Management Center 


Universe ^ Status Auditor Open j ^Administration j Views: 


Imp Date Ref. 


| ► ABC-XYZ, Inc. / Tone at the Top 2006: 01/23/2006 


► APAS - HEW for Smart Bank 12-27-05 (2): 12/31/2005 






Status Update 

From: 

Tresha Ambrosy 

Reason for Update: 

O Provide Additional Information 

O Request Extension 
& Request Closure 

Current Due Date: 

02/15/2006 

Close Date 
(mm/dd/yyyy): 

|03/15/2006 1H 

Basis for Close: 

(* Mgmt. Assertions Evidence 

Additional 

Information: 

It has been determined my managementthatthis issue 

] 

Additional 

Documentation: 

Browse... 1 

Browse... | 

Browse... | 

Submit | 

Cancel 


The Issue Management Center is a 
centralized repository containing all 
Audit Findings from completed audits 
and entity level risk assessments. It 
simplifies management of unresolved 
audit issues throughout the 
organization. 

Tracks management issues updates 
by recording the date, provided by, 
action and comments. Auditable Entity 
Managers will provide their comments 
through the IMC web interface. 

Each Auditable Entity Manager will be 
able to provide and edit their 
responses through this tab on the 
web. 

System send email notifications to 
Followup Auditors and Business 
Managers with summary of upcoming 
and past due issues 
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Questions? 



RSM McGladrey 


Contact Technology 
Business Services 

- Mike Rasmussen 

- Director 

- Mike.Rasmussen@rsmi.com 

- 952 . 921.7729 

- www.rsmmcgladrey.com 






